I am having a problem with CAS 3.4.7 in a deployment where there are 2 CAS
servers sitting behind a load balancer operating in round-robin mode (at least
they are operating that way at this moment). Most, but not all, of the time,
when I do a CAS login, I end up with an http response code of 500, and a
generic CAS error page (don't remember the exact text, but it's just a sentence
or 2 saying that there was a problem). I turned on debug logging, and it
appears that the problem may be that the new CasFlowExecutionKeyFactory class
is generating a unique encryption key for each of my 2 CAS servers and that
this key is being used to encrypt/decrypt a web flow session key. However,
since each server has generated its own encryption key, the decrypt operation
fails on one server when the web flow session key was encrypted on the other
server. I've included some debug log output from the two servers below. I
have worked around this problem by changing this line:
<bean id="flowExecutionRepository"
class="org.jasig.cas.web.flow.CasFlowExecutionKeyFactory">
to this:
<bean id="flowExecutionRepository"
class="org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository">
in cas-servlet.xml. After making that change, everything seems to be working
properly. If my understanding of the problem ends up being correct, it seems
like there needs to be a reasonable solution for those of us requiring multiple
CAS servers. Perhaps using sticky sessions would help, but we need high
availablity, and it would seem like if a server failed and the load balancer
directed traffic to the other server, then things would fail for those users,
which obviously isn't good. Some questions:
1. Are there any possible problems with the workaround I've implemented that I
don't know about right now? Is there a better way to workaround the issue?
2. Is it necessary to encrypt this web flow session key at all? I don't have
the big picture of what is going on here, but all of our CAS interactions are
happening over https, so I'm not sure that it's necessary for me to encrypt
these session keys. If it's true that this encryption is not neessary when
using https, perhaps a flag in a config file, to disable this encryption would
be a good idea?
3. If encryption really is necessary, then perhaps the encryption key should
be externalized into a config file, so that I can set it to be the same key for
both of my servers? This doesn't appear to be possible (or at least easy) with
the way it's coded now.
Some debug output from server1 (note the key 26CB737...):
2011-04-05 23:26:40,325 DEBUG
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
- <Putting conversation attribute 'name' with value login>
2011-04-05 23:26:40,325 DEBUG
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
- <Putting conversation attribute 'caption' with value null>
2011-04-05 23:26:40,325 DEBUG
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
- <Putting conversation attribute 'description' with value null>
2011-04-05 23:26:40,325 DEBUG
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
- <Putting conversation attribute 'flowExecutionSnapshotGroup' with value
org.springframework.webflow.execution.repository.impl.SimpleFlowExecutionSnapshotGroup@21645be6>
2011-04-05 23:26:40,429 DEBUG
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Assigned key
26CB7376FF1CBB089B50B84AF907EE519166845CABB838FAF2D8F4468453C208F360C11FBE172E0FA6B6DD824342F4B5>
Some debug output from server2 (note the key 26CB737...):
2011-04-05 23:26:53,243 DEBUG
[org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet with
name 'cas' processing POST request for [/cas/login]>
2011-04-05 23:26:53,243 DEBUG
[org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping request
with URI '/cas/login' to flow with id 'login'>
2011-04-05 23:26:53,243 DEBUG
[org.springframework.webflow.executor.FlowExecutorImpl] - <Resuming flow
execution with key
'26CB7376FF1CBB089B50B84AF907EE519166845CABB838FAF2D8F4468453C208F360C11FBE172E0FA6B6DD824342F4B5>
2011-04-05 23:26:53,255 DEBUG
[org.springframework.web.servlet.DispatcherServlet] - <Could not complete
request>
java.lang.RuntimeException: javax.crypto.BadPaddingException: Given final block
not properly padded
at
org.jasig.cas.web.flow.CasFlowExecutionKeyFactory.decrypt(CasFlowExecutionKeyFactory.java:92)
at
org.jasig.cas.web.flow.CasFlowExecutionKeyFactory.parseFlowExecutionKey(CasFlowExecutionKeyFactory.java:168)
at
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164)
at
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:115)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:44)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.tcInvoke(SessionValve55.java:99)
at
org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:86)
at
org.terracotta.session.ModernTomcatSessionValve.invoke(ModernTomcatSessionValve.java:66)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
org.jasig.cas.web.flow.CasFlowExecutionKeyFactory.decrypt(CasFlowExecutionKeyFactory.java:90)
... 36 more
2011-04-05 23:26:53,275 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- <Extractor generated service for:
http://test-web.acteea.local/Admin/j_spring_cas_security_check>
Thanks,
--Jon
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
